Lucene search

IBM5BD3B49E9FD9DE8CAAD091AAB6EB4595C3063108FD084083DF7D67000CF354AE

HistoryMay 30, 2024 - 7:41 p.m.

Security Bulletin: Multiple Security Vulnerabilities were discovered in IBM Security Verify Access Container (CVE-2024-35140, CVE-2024-35141, CVE-2024-35142)

2024-05-3019:41:27

www.ibm.com

ibm security verify access

container

vulnerabilities

ibm security verify access docker

ibm security verify access 10.0.7

cve-2024-35142

cve-2024-35141

cve-2024-35140

privilege escalation

certificate validation

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

Summary

Vulneribities were discovered during an assessment of the IBM Security Verify Access Container Product. They were addressed in the ISVA 10.0.7 release.

Vulnerability Details

CVEID:CVE-2024-35142
**DESCRIPTION:**IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292418 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-35141
**DESCRIPTION:**IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292417 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-35140
**DESCRIPTION:**IBM Security Verify Access could allow a local user to escalate their privileges due to improper certificate validation.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292416 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Verify Access Docker	10.0.0, 10.0.6

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

Obtain the latest version of the container by running the command “docker pull icr.io/isva/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here.

For the ISAM/ISVA appliances

Obtain the latest version by obtaining the fix at the location shown below:

Affected Products and Versions

Fix availability

—|—

IBM Security Verify Access 10.0.0.0

10.0.7-ISS-ISVA-FP0000

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_verify_accessMatch10.0.0

ibmsecurity_verify_accessMatch10.0.6

VendorProductVersionCPE
ibmsecurity_verify_access10.0.0cpe:2.3:a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
ibmsecurity_verify_access10.0.6cpe:2.3:a:ibm:security_verify_access:10.0.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	security_verify_access	10.0.0	cpe:2.3:a:ibm:security_verify_access:10.0.0:::::::*
ibm	security_verify_access	10.0.6	cpe:2.3:a:ibm:security_verify_access:10.0.6:::::::*

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for 5BD3B49E9FD9DE8CAAD091AAB6EB4595C3063108FD084083DF7D67000CF354AE